/mandos/trunk : revision 965

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.xml

Committer: Teddy Hogeborn
Date: 2019-02-09 23:36:11 UTC
Revision ID: teddy@recompile.se-20190209233611-qurtq0kpsoct9uwf

Doc fix: Minor clarification

* mandos-clients.conf.xml (OPTIONS/checker): Be more clear that it's
specifically an SSH key fingerprint that is being compared, and no
other kind of fingerprint.

files added:
bugs.xml

debian/upstream

debian/upstream/signing-key.asc

initramfs-tools-conf

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

mandos.service

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

mandos-change-keytype

files modified:
DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

mandos.xml

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos">

<!ENTITY TIMESTAMP "2013-10-20">

<!ENTITY TIMESTAMP "2019-02-09">

<!ENTITY % common SYSTEM "common.ent">

%common;

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

106

111

107

112

<sbr/>

108

113

<arg><option>--foreground</option></arg>

114

<sbr/>

115

<arg><option>--no-zeroconf</option></arg>

109

116

</cmdsynopsis>

110

117

111

118

<command>&COMMANDNAME;</command>

322

329

</listitem>

323

330

</varlistentry>

324

331

332

333

<term><option>--no-zeroconf</option></term>

334

335

<xi:include href="mandos-options.xml" xpointer="zeroconf"/>

336

</listitem>

337

</varlistentry>

338

325

339

</variablelist>

326

340

</refsect1>

327

341

347

361

start a TLS protocol handshake with a slight quirk: the Mandos

348

362

server program acts as a TLS <quote>client</quote> while the

349

363

connecting Mandos client acts as a TLS <quote>server</quote>.

350

The Mandos client must supply an OpenPGP certificate, and the

351

fingerprint of this certificate is used by the Mandos server to

352

look up (in a list read from <filename>clients.conf</filename>

353

at start time) which binary blob to give the client. No other

354

authentication or authorization is done by the server.

364

The Mandos client must supply a TLS public key, and the key ID

365

of this public key is used by the Mandos server to look up (in a

366

list read from <filename>clients.conf</filename> at start time)

367

which binary blob to give the client. No other authentication

368

or authorization is done by the server.

355

369

</para>

356

370

<table>

357

371

<title>Mandos Protocol (Version 1)</title><tgroup cols="3"><thead>

377

391

</emphasis></entry>

378

392

</row>

379

393

<row>

380

<entry>OpenPGP public key (part of TLS handshake)</entry>

394

<entry>Public key (part of TLS handshake)</entry>

381

395

382

396

</row>

383

397

<row>

522

536

<para>

523

537

The file containing the process id of the

524

538

<command>&COMMANDNAME;</command> process started last.

539

<emphasis >Note:</emphasis> If the <filename

540

class="directory">/run</filename> directory does not

541

exist, <filename>/var/run/mandos.pid</filename> will be

542

used instead.

525

543

</para>

526

544

</listitem>

527

545

</varlistentry>

528

546

529

530

</varlistentry>

531

532

547

<term><filename

533

548

class="directory">/var/lib/mandos</filename></term>

534

549

540

555

</listitem>

541

556

</varlistentry>

542

557

543

558

544

559

545

560

<para>

546

561

The Unix domain socket to where local syslog messages are

571

586

<para>

572

587

There is no fine-grained control over logging and debug output.

573

588

</para>

574

<para>

575

This server does not check the expire time of clients’ OpenPGP

576

keys.

577

</para>

589

<xi:include href="bugs.xml"/>

578

590

</refsect1>

579

591

580

592

630

642

<title>CLIENTS</title>

631

643

<para>

632

644

The server only gives out its stored data to clients which

633

does have the OpenPGP key of the stored fingerprint. This is

634

guaranteed by the fact that the client sends its OpenPGP

635

public key in the TLS handshake; this ensures it to be

636

genuine. The server computes the fingerprint of the key

637

itself and looks up the fingerprint in its list of

638

clients. The <filename>clients.conf</filename> file (see

645

does have the correct key ID of the stored key ID. This is

646

guaranteed by the fact that the client sends its public key in

647

the TLS handshake; this ensures it to be genuine. The server

648

computes the key ID of the key itself and looks up the key ID

649

in its list of clients. The <filename>clients.conf</filename>

650

file (see

639

651

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

640

652

<manvolnum>5</manvolnum></citerefentry>)

641

653

<emphasis>must</emphasis> be made non-readable by anyone

693

705

</varlistentry>

694

706

695

707

<term>

696

<ulink url="http://www.gnu.org/software/gnutls/"

697

>GnuTLS</ulink>

708

<ulink url="https://gnutls.org/">GnuTLS</ulink>

698

709

</term>

699

710

700

711

<para>

701

712

GnuTLS is the library this server uses to implement TLS for

702

713

communicating securely with the client, and at the same time

703

confidently get the client’s public OpenPGP key.

714

confidently get the client’s public key.

704

715

</para>

705

716

</listitem>

706

717

</varlistentry>

738

749

</varlistentry>

739

750

740

751

<term>

741

RFC 4346: <citetitle>The Transport Layer Security (TLS)

742

Protocol Version 1.1</citetitle>

752

RFC 5246: <citetitle>The Transport Layer Security (TLS)

753

Protocol Version 1.2</citetitle>

743

754

</term>

744

755

745

756

<para>

746

TLS 1.1 is the protocol implemented by GnuTLS.

757

TLS 1.2 is the protocol implemented by GnuTLS.

747

758

</para>

748

759

</listitem>

749

760

</varlistentry>

759

770

</varlistentry>

760

771

761

772

<term>

762

RFC 5081: <citetitle>Using OpenPGP Keys for Transport Layer

763

Security</citetitle>

764

</term>

765

766

<para>

767

This is implemented by GnuTLS and used by this server so

768

that OpenPGP keys can be used.

773

RFC 7250: <citetitle>Using Raw Public Keys in Transport

774

Layer Security (TLS) and Datagram Transport Layer Security

775

(DTLS)</citetitle>

776

</term>

777

778

<para>

779

This is implemented by GnuTLS version 3.6.6 and is, if

780

present, used by this server so that raw public keys can be

781

used.

782

</para>

783

</listitem>

784

</varlistentry>

785

786

<term>

787

RFC 6091: <citetitle>Using OpenPGP Keys for Transport Layer

788

Security (TLS) Authentication</citetitle>

789

</term>

790

791

<para>

792

This is implemented by GnuTLS before version 3.6.0 and is,

793

if present, used by this server so that OpenPGP keys can be

794

used.

769

795

</para>

770

796

</listitem>

771

797

</varlistentry>

Older »